PowerSploit

PowerSploit is an amazing set of PowerShell scripts used by information security professionals, and especially penetration testers. To download PowerSploit, you need to grab it from its official GitHub repository, https://github.com/PowerShellMafia/PowerSploit:

# git clone https://github.com/PowerShellMafia/PowerSploit

After cloning the project, use the ls command to list the files:

From the following screenshot, you can note that PowerSploit contains a lot of amazing scripts for performing a number of tasks, such as:

As you can see from listing the downloaded project, Nishang is loaded with many various scripts and utilities for performing a lot of required tasks during penetration testing missions, such as:

Privilege escalation

Scanning

Pivoting

You can explore all the available scripts by listing the content of Nishang project using the ls command:

Let’s explore some of Nishang’s script power on a Windows machine:

You can import all the modules using the Import-Module PowerShell cmdlet:

Oops, something went wrong! Don’t worry, in order to use the Import-Module, you need to open PowerShell as an administrator, and type Set-ExecutionPolicy -ExecutionPolicy RemoteSigned:

Then you can import the modules:

Now, if you want, for example, to use the Get-Information module, you just need to type Get-Information:

If you want to unveil WLAN keys, type Get-WLAN-Keys:

You can go further and dump password hashes from a target machine in a post-exploitation mission. Thanks to the Get-PassHashes module, you are able to dump password hashes. This is the output of it from my local machine:

You can even perform a phishing attack using Invoke-CredentialPhish, like in the previous demonstration. You can run this attack on the victim’s machine:

Defending against PowerShell attacks

In the previous sections, we went through various techniques for attacking machines using Metasploit and PowerShell. Now it is time to learn how to defend against and mitigate PowerShell attacks. In order to protect against PowerShell attacks, you need to:

Implement the latest PowerShell version (version 5, when this book was written). To check, type Get-Host:

Monitor PowerShell logs.

Ensure a least-privilege policy and group policies settings. You can edit them with the Local Group Policy Editor. If you are using the Windows 10 Enterprise edition, you can also use AppLocker:

Thus, in this article, we saw the combination of Metasploit and PowerShell to perform more customized attacks and security tests. If you’ve enjoyed reading this post, and want to learn how to exploit enterprise VLANS, and go from theory to real-world experience, do check out Advanced Infrastructure Penetration Testing.